PUF Evaluation with Post-processing and Modified Modeling Attack

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

PUF Evaluation with Post-processing and Modified Modeling Attack Hyunho Kang1, Yohei Hori2, Toshihiro Katashita2, Akashi Satoh3, and Keiichi Iwamura1 1

Department of Electrical Engineering, Tokyo University of Science, 6-3-1 Niijuku, Katsushika-ku, Tokyo 125-8585, Japan 2 Research Institute for Secure Systems, National Institute of Advanced Industrial Science and Technology (AIST),Central 2, 1-1-1 Umezono, Tsukuba, Ibaraki 305-8568, Japan 3 Department of Communication Engineering and Informatics, The University of Electro-Communications,1-5-1 Chofugaoka, Chofu, Tokyo 182-8585, Japan 1

2

[email protected], [email protected] [email protected], [email protected], [email protected] Abstract

Physical unclonable functions (PUFs) have outstanding unique and non-reproducible properties owing to inter-chip variations. However, the amount of randomness in a PUF output could be a significant limitation. In this study, by passing the PUF response to a shift register, the randomness of the PUF output can be greatly increased while maintaining reliability. We discuss the performance of an arbiter-type PUF and a ring-oscillator-type PUF with a simple shift register from the viewpoint of biometrics. Moreover, PUFs, particularly linear delay-based PUFs, are not designed for machine learning or linear programming, which makes innovation difficult. We further focus on an efficient PUF evaluation method by using linear programming and logistic regression in the case of the challenge response pairs (CRPs) with low entropy. Keywords: Physical Unclonable Function (PUF), Arbiter PUF, Ring Oscillator PUF, SASEBO-GII, Performance Evaluation

1. Introduction Physical unclonable functions (PUFs) involve variations in device manufacturing and could be useful for authentication of integrated circuits or for key storage using highly secure methods. This is considered one of the most striking discoveries in the computer security field and is ushering in a new era for security [1]. Over the past decade, several interesting constructions have been proposed in the literature [2]. The arbiter PUF [3] and ring oscillator (RO) PUF [4, 5] are the most popular designs, which produce a unique output for each challenge input. However, it has been claimed that the amount of randomness in the PUF output is limited [6]. Therefore, the response of the PUF cannot be used directly as a key. Thus, several post-processing schemes for the PUF output have been developed, such as majority voting and the fuzzy extractor [6, 7]. Majority voting is a convenient method to poorly transform uniform and noisy measurements into more random distributions with less noise, while the fuzzy extractor corrects bit errors in the non-uniform PUF responses and extracts uniform random bits. However, these methods fail to increase the amount of randomness in the PUF output to a sufficient level.

231

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

One solution is to pass the PUF output through a simple shift register so that randomness can be greatly increased while maintaining reliability. In this paper, we discuss the performance of a shift-register-based post-processing from the viewpoint of biometrics, i.e., using the equal error rate (EER). In addition, we focus on determining the reliability and security (uniqueness) of the system on the basis of the differences in the outputs from the same PUFs and from different PUFs for the same challenge (SC intra-PUF and SC inter-PUF, respectively). We performed an evaluation using modeling attacks of Silicon arbiter PUFs. Lim et al., [8] introduced arbiter-based PUFs that use a differential structure and an arbiter to measure the difference in the delay between the paths. However, if a notable correlation exists between challenges and responses, then an adversary can build a software model of the PUF. Recent studies [9, 10] showed that model building might be feasible by using machine learning techniques or linear programming. Note that we are concerned with a combined modeling attack when challenge response pairs (CRPs) with low entropy exist. In this context, entropy means the degree of randomness of CRPs. The rest of the paper is organized as follows: in Section 2, our evaluation approach is presented; in Section 3, the concept of shift-register post-processing is described; in Section 4, our experimental results are presented; in Section 5, the evaluation of combined modeling attacks are presented; finally, in Section 6, we present our conclusions.

2. Evaluation Approach PUFs can be evaluated on the basis of the differences in the responses of the same device (intra-PUF) and of the differences between devices (inter-PUF). Furthermore, they can be evaluated for differences in the responses to the same challenge (SC) and to different challenges (DC). Thus, we define the following four parameters, as illustrated in Figure 1: SC intra-PUF, DC intra-PUF, SC inter-PUF, and DC inter-PUF. First, to evaluate the reliability of our PUF system, experiments were conducted to measure the EER and sensitivity index d  for each PUF system using SC intra-PUF and DC intra-PUF. Ideally, SC intra-PUF should be small and DC intra-PUF should be large; in other words, these two distributions should be sufficiently separated from each other. In the biometric research community, the overall accuracy is illustrated by the receiver operation characteristic (ROC) curve, which shows the dependence of the false rejection rate (FRR) on the false acceptance rate (FAR) at all thresholds. The EER is computed as the point where FAR is equal to FRR. To evaluate our PUF testing, we also utilized these properties. In addition, we defined a metric d  , as suggested by Daugman [11], to assess the degree of separation between the two distributions:

d 

m  n

1 2 ( m   n2 ) 2

(1)

where  m and  n are the means and  m and  n are the standard deviations of the two distributions, respectively. Second, large SC inter-PUF and DC inter-PUF of complete PUF systems would be ideal to test the security of the PUF systems (i.e., uniqueness). However, in this research, we studied only SC intra-PUF and SC inter-PUF to evaluate the PUF systems with and without shiftregister-based post-processing.

232

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

Challenge (64bits) 1 0

Riging Edge

AIST dataset 1 0

1 0

c1

c2

c64

0 1

0 1

0 1

Mux1 RO2

1

. . .

Challenge1(9bits) Challenge2(9bits)

RO512

Arbiter PUF1

…

Arbiter PUF45

VirginiaTech Dataset

Response 0 or 1

>?

…

RO-PUF1

Mux2



RO-PUF125



…

shift

20 times of test

5

…

50 kinds of IDs

1 1 if top path is faster, 0 else 0

Arbiter

Response (1bit)

RO1

Enable

Response (1bit)

Not change Reliability Higher Security (Uniqueness)

128bits response direction 128bits response

Limitation of randomness =>Post-processing is needed

2

128

Hamming distance (HD)

3

SC DC

0

HD

Security (Uniqueness)

Count rate

Count rate

Count rate

Reliability Same challenge (SC) Different challenge (DC)

0

4

• Regarding all devices

• Regarding each device

128

SC Intra-PUF SC Inter-PUF

0

HD

128

(ID:50, Test:20) SC Intra-PUF: 9,500 pair comparisons, DC Intra-PUF: 490,000 pair comparisons (Devices: 45) SC Inter-PUF: 19,800,000 pair comparisons, DC Inter-PUF: 485,100,000 pair comparisons (Devices: 125) SC Inter-PUF: 155,000,000 pair comparisons, DC Inter-PUF: 3,797,500,000 pair comparisons

Figure 1. Schematic of our Evaluation Approach

3. Shift Register Figure 1 (arrow 5) shows the creation of the shifted response database. Note that shifting bits to the right depends on the intrinsic properties of each PUF. In our experiment, fixed bits were shifted for testing, e.g., 1 bit for PUF1, 2 bits for PUF2, and 45 bits for PUF45. Notably, shifting with a 128-bit response direction is simple and easily applicable to the PUF output while maintaining reliability.

233

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

4. Experimental Results 4.1. Arbiter PUF The field-programmable gate arrays (FPGAs) used in this experiment were a Xilinx's Virtex-5LX (xc5vlx30-ffg324) and a Spartan-3A (xc3s400a-ftg256) on SASEBO-GII evaluation boards [12-13]. We selected 45 arbiter PUF outputs from 20 tests and 50 kinds of IDs (called “AIST dataset” in Figure 1) from a total of 45 outputs with 1024 tests and 1024 kinds of IDs [14]. First, we tested the reliability of each PUF output. As shown in Figure 2(a), the SC intra- PUF distribution and the DC intra-PUF distribution were computed and plotted to determine how the PUF algorithm separates the two classes. The figure shows a histogram of the count rates versus the hamming distance for the PUF1 output. In this experiment, we obtained ideal results with no errors. As shown in Figure 2(b), all of the other results also had zero error and a stable d  . Therefore, we can conclude that the reliability of each PUF output is high. In addition, we considered the EER and d  values to evaluate the security (uniqueness) for 45 arbiter PUFs (“SC intra gathering from 45 PUFs” and “SC inter gathering from 45 PUFs”). Figure 2(c) shows a histogram of the count rate versus the hamming distance for all PUF outputs combined (45 arbiter PUFs). In this experiment, the threshold number was set to 4 and the EER was 2.89%. Even though this performance is sufficient for a non-strict authentication system, it is not suited for a strict authentication system, such as in cryptographic applications. In order to solve this problem, we applied shift registers for post-processing the PUF output. As shown in Figure 2(d), the distribution with a shift register (“SC inter gathering from 45 shifted PUFs”) is ideal with no errors, and d  is 15.18 against “SC intra gathering from 45 PUFs.” 4.2. Ring Oscillator PUF In this experiment, we selected 125 PUF outputs with 20 tests and 50 kinds of IDs from a total of 125 RO-PUF outputs (called “VirginiaTech Dataset” in Figure 1) that were collected from 125 Xilinx Spartan (XC3S500E) FPGAs [15]. (Each output contained 512 lines for 512 ROs, and each line contained 100 RO frequencies.) We first tested the reliability of each PUF output. As shown in Figure 3 (a) and (b), all of the results had zero error rates. Therefore, we can conclude that the reliability of each RO-PUF output is high. In addition, we considered the EER and d  to evaluate the security (uniqueness) of the RO-PUFs (“SC intra gathering from 125 RO-PUFs” and “SC inter gathering from 125 RO-PUFs”). As shown in Figure 3 (c), the result showed a zero error rate. Thus, the security of the RO-PUFs using the VirginiaTech dataset is reasonably good, even though d  is slightly small (8.48). In order to maintain stable security, it is desirable to sufficiently separate the two distributions. Therefore, we can apply the shift function to the PUF output in the same way as in the previous subsection. As shown in Figure 3 (d), the distribution with the shift register (“SC inter gathering from shifted 125 ROPUFs”) is ideal with no errors, and d  is 15.50 against “SC intra gathering from 125 RO-PUFs.”

234

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

0.7

EER: 0.00, FAR: 0.00, FRR: 0.00, d': 15.96

20

SC intra-PUF1 DC intra-PUF1

0.6

18

16.2361

15.9818 16.4721 16.1250

16.4258

16.2271

14

0.4

16.0106 15.7900 15.7485 16.1913 12 15.9590 16.0804 10

9,500 pair comparisons

0.3

d'

Count rate

16

0.5

490,000 pair comparisons

15.8621 15.6608

8 6

0.2

High Reliability

4

0.1 0 0

2

20

40

60

80

100

0 0

120

5

10

0.7

0.7

SC intra gathering from 45 PUFs SC inter gathering from 45 PUFs

Count rate

Count rate

427,500 pair comparisons

35

40

45

SC intra gathering from 45 PUFs SC inter gathering from shifted 45 PUFs

Higher Uniqueness 0.4

427,500 pair comparisons

0.3

19,800,000 pair comparisons

0.2

19,800,000 pair comparisons

0.1

0.1 0 0

30

0.5

0.4

0.2

25

EER: 0.00, FAR: 0.00, FRR: 0.00, d' : 15.18

0.6

0.5

0.3

20

(b) d’ of each DC intra-PUF against SC intra-PUF (Reliability in 45 Arbiter PUFs)

EER: 2.89, FAR: 4.75, FRR: 1.02, T: 4, d' : 3.32

0.6

15

The index of tested PUFs

HD (a) Distribution of SC intra-PUF and DC intra-PUF (Reliability in Arbiter PUF1)

20

40

60

80

100

120

0 0

20

40

60

80

100

120

HD

HD

(c) Distribution of SC intra-PUF and SC inter-PUF which are combined with all pair comparisons

(d) Histogram result using shifted data (Security in 45 Arbiter PUFs)

Figure 2. Reliability and Security in 45 Arbiter PUFs

5. Modeling Attacks using two PUFs with Aging Degradation A system large-scale integration (LSI) is known to cause hardware error due to age-related degradation. In our modeling attack, the arbiter PUF was tested about two years after the PUFs were first manufactured. Although the test had a very interesting outcome, the arbiter PUF eventually became more stable as a consequence of this test. For the data in this study, we selected the CRPs for 10 test iterations using 200 IDs from each of two tested SASEBO-GII boards, which are different boards implemented with the same arbiter PUF structure.

235

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

0.7

EER: 0.00, FAR: 0.00, FRR: 0.00, d': 15.38

20

SC intra-RO-PUF1 DC intra-RO-PUF1

0.6

18

16.4628

15.9971

15.4272

15.9930

15.9908

16 14 12

0.4

d'

Count rate

0.5

9,500 pair comparisons 490,000 pair comparisons

0.3

15.1849

15.3794

14.9756

14.7620

14.7656

10 8

High Reliability

6

0.2

4

0.1 0 0

2

20

40

60

80

100

0 0

120

HD (a) Distribution of SC intra-RO-PUF and DC intra-RO-PUF (Reliability in RO-PUF1)

0.7

EER: 0.00, FAR: 0.00, FRR: 0.00, d' : 8.48

0.7

SC intra gathering from 125 RO-PUF SC inter gathering from 125 RO-PUF

0.6

155,000,000 pair comparisons

80

100

120

EER: 0.00, FAR: 0.00, FRR: 0.00, d' : 15.50 SC intra gathering from 125 RO-PUF SC inter gathering from shfted 125 RO-PUF

Higher Uniqueness

0.4

1,187,500 pair comparisons

0.3

155,000,000 pair comparisons

0.2

0.1 0 0

Count rate

Count rate

1,187,500 pair comparisons

0.3

60

(b) d’ of each DC intra-RO-PUF against SC intra-RO-PUF (Reliability in 125 RO-PUFs)

0.5

0.4

40

The index of tested RO-PUFs

0.6

0.5

0.2

20

0.1

20

40

60

80

100

120

HD (c) Distribution of SC intra-RO-PUF and SC inter-RO-PUF which are combined with all pair comparisons

0 0

20

40

60

80

100

120

HD (d) Histogram result using shifted data (Security in 125 RO-PUFs)

Figure 3. Reliability and Security in 125 RO-PUFs By comparing the SC intra and DC intra of PUF1 and PUF2 in Figure 4, we see that the PUF’s HD (Hamming Distance) is divided into two distinct classes depending on the properties of the challenge. The peaks of the two sets of histograms are clearly separated, indicating that errors did not occur, in terms of FAR and FRR. The test for uniqueness indicates that no identification errors exists because the intra and inter SC distributions do not overlap. However, their uniqueness is clearly not stable. As mentioned in the introduction, we focused on efficient modeling attacks against CRPs with low entropy. Therefore, these unstable data are suitable for this scenario. 5.1. Linear Programming We describe an equation extracted from Ref. [9]. Equation 2 is extremely useful when carrying out a linear programming attack. Here, the y i parameter denotes the imbalance in the signal propagation paths in the i th stage of the PUF. If we can determine the parameter values with reasonable precision, we can compute the PUF’s response to an arbitrary challenge.

236

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

Number of comparison : 9000 (SC Intra-PUF), 1990000 (DC Intra-PUF) 20000 (SC Inter-PUF), 1990000 (DC Inter-PUF) 0.35

0.3

SC Intra of PUF1 SC Intra of PUF2 DC Intra of PUF1 DC Intra of PUF2 SC Inter of two PUFs DC Inter of two PUFs

SC Intra of PUF2 SC Intra of PUF1

0.25 0.07

0.065

0.2

Minimum HD of SC Inter: 12 0.15

DC Intra of PUF1 DC Inter of two PUFs

Count rate

Count rate

Maximum HD of SC intra: 9

0.06

DC intra of PUF2 0.055

SC Inter of two PUFs 0.05

magnification

0.1 0.045 51

52

53

54

55

56

57

58

59

Hamming distance

DC Intra of PUF1 DC Intra of PUF2 DC Inter of two PUFs

0.05

0

0

20

40

60

80

100

120

Hamming distance

Figure 4. Reliability and Uniqueness of Two PUFs with Two Years of Degradation

 (1) P1  R  P( 2)  R( 2) (1) 1    P1( k )  R ( k ) (1) (1)

(1 )

(1)

 R (1)

 (1) Pn

(2)

 R( 2)

 (1) Pn

(1) P2 (1) P2

 (k )

(1) P2

( 1)

 R ( 1)

(2)

 R(2)

  R( k )

(k )

 (1) Pn

 R(k )

(1 ) (1) R   y1  (2)    (1) R   y 2   0        (k )  (1) R   y n 1 

(2)

where R and P denote the response bits and Pi  Ci  Ci 1    Cn with challenge C . This paper does not discuss this topic in detail but offers some information regarding implementation. The following MATLAB function (linprog) from the optimization toolbox solves linear programming problems.

y  linprog ( f , A, b) This function solves min f   y such that A  y  b . The left-hand side of Equation 2 can be used as the input parameter A . P formed by an arbitrary challenge (refer to Equation 2) is used as the input parameter f .

237

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

5.2. Logistic Regression We present a summary of logistic regression, according to Ref. [10]. The output t of an arbiter PUF is determined by the sign of the final delay difference. Equation 3 shows



 

that the vector  via  T   0 defines a separating hyperplane in the space of all feature vectors  . In other words, the determination of this hyperplane allows PUF prediction.

  t  sgn( T )

(3)

  where  and  denote the delays (similar to y in the previous subsection) and a function of the applied k-bit challenge C . This function can be described as follows:



k i 1

(1  2bi ) for l  1,, k

where b denotes the challenge bits. It is important to note that  provides a solution, similar to P in the previous subsection. LIBLINEAR [16, 17], which was used in this study, is an open-source library and can support logistic regression and linear support vector machines. 5.3. Combined Modeling Attack As mentioned earlier, the tested CRPs used in the experiments have low entropy. Therefore, as the first step in our analysis, we examined zero/one prediction rate by using logistic regression and a linear programming method. The results of analysis show that logistic regression gives an optimal solution in the case of one prediction (the response bit), while linear programming gives an optimal solution in the case of zero predictions (refer to Figure 5). We can combine them to develop an efficient evaluation method against these PUFs with low entropy. Figures 6–8 show the prediction success rate against the required number of CRPs.

……. c1

c2

Arbiter

c6 3

1 0

c6 4

Challenge (64bits)

Response (1bit)

CRPs Low entropy

High entropy General evaluation

Logistic regression

Linear programming

Zero prediction rate : 68.90% One prediction rate : 97.60% Zero prediction rate : 85% One prediction rate : 69%

Combined modeling attack (efficient evaluation method)

Figure 5. Arbiter-based PUF and the Concept of a combined Modeling Attack

238

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

Maximum rate/index of one response: 97.600%/17157 Maximum rate/index of response: 88.50%/7669 Maximum rate/index of zero response: 68.90%/6797

100 90

Prediction success rate (%)

80

One response

Response 70 60 50

Zero response 40 30

Response Zero response One response

20 10 0

2000

4000

6000

8000

10000

CRPs

12000

14000

16000

18000

Performed by logistic regression

Figure 6. Prediction Success Rate obtained by Logistic Regression (CRPs: 1– 18000) Maximum rate/index of one response: 69.00%/4 Maximum rate/index of zero response: 84.00%/10

100 90

Prediction success rate (%)

80 70 60 50 40 30 20

Zero response One response

10 0 100

200

300

400

500

600

CRPs

700

800

900

1000

Performed by Linear Programming

Figure 7. Prediction Success Rate obtained by Linear Programming (CRPs: 100–1000)

239

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

Maximum rate/index of one response: 66.00%/1 Maximum rate/index of zero response: 85.00%/3

100 90

Prediction success rate (%)

80 70 60 50 40 30 20

Zero response One response

10 0

1000

3000

5000

7000

9000

CRPs

11000

13000

15000

17000

Performed by Linear Programming

Figure 8. Prediction Success Rate Obtained by Linear Programming (CRPs: 1000–18000)

6. Conclusions We experimentally showed that the addition of a shift operation as a post-processing method is an effective approach in increasing randomness in PUFs, even though this approach is valid only under the assumption that shifting is an intrinsic property. In addition, PUF evaluation was tested with logistic regression and a linear programming method. The tested CRP data have extremely low entropy; however, by combining the results, we can conclude that this approach can be an efficient evaluation method with strong analytical abilities. *This paper is an extended version of the paper “Performance of Physical Unclonable Functions with Shift-Register-Based Post-processing” presented to the Security Technology (SecTech2012) [18].

References [1] Physical Unclonable Function Is Ushering a New Era for Security, SmartCards Trends, OMNIPRESS, (2012), December-January. [2] A. Sadeghi and D. Naccache, Editor, “Towards Hardware-Intrinsic Security”, Springer, (2010). [3] J. Lee, D. Lim, B. Gassend, G.E. Suh, M. van Dijk and S. Devadas, “A Technique to Build a Secret Key in Integrated Circuits for Identification and Authentication Applications”, IEEE 2004 Symposium on VLSI Circuits, (2004). [4] G. E. Suh and S. Devadas, “Physical Unclonable Functions for Device Authentication and Secret Key Generation”, IEEE Design Automation Conference, DAC2007, (2007). [5] A. Maiti, J. Casarona, L. McHale and P. Schaumont, “A Large Scale Characterization of RO-PUF”, IEEE International Symposium on Hardware Oriented Security and Trust, HOST2010, (2010).

240

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

[6] R. Maes, P. Tuyls and I. Verbauwhede, “Intrinsic PUFs from Flip-flops on Reconfigurable Devices”, 3rd Benelux Workshop on Information and System Security, WISSec2008, (2008). [7] Y. Dodis, L. Reyzin and A. Smith, “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data”, Advances in Cryptology-Eurocrypt 2004, LNCS3027, pp.523-540, Springer Verlag, (2004). [8] D. Lim, J. W. Lee, B. Gassend, G. E. Suh, M. van Dijk and S. Devadas, “Extracting Secret Keys From Integrated Circuits”, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 13, no. 10, (2005) October. [9] E. Ozturk, G. Hammouri and B. Sonar, “Towards Robust Low Cost Authentication for Pervasive Devices”, IEEE International Conference on Pervasive Computing and Communications, (2008), pp. 170-178. [10] U. Ruhrmair, F. Sehnke, J. Solter, G. Dror, S. Devadas and J. Schmidhube, “Modeling Attacks on Physical Unclonable Functions”, Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10), (2010) October 4-8. [11] J. G. Daugman and G. O. Williams, “A Proposed Standard for Biometric Decidability”, Proceedings of CardTech/SecureTech Conference, (1996), pp. 223-234. [12] A. Satoh, T. Katashita and H. Sakane, “Secure Implementation of Cryptographic Modules: Development of a Standard Evaluation Environment for Side Channel Attacks”, Synthesiology-English Edition, vol. 3, no. 1, (2010), pp. 86-95. [13] The download site of Side-channel Attack Standard Evaluation BOard support file in AIST (National Institute of Advanced Industrial Science and Technology), http://www.risec.aist.go.jp/project/sasebo/. [14] Y. Hori, T. Katashita, A. Satoh and T. Yoshida, “Quantitative and Statistical Performance Evaluation of Arbiter Physical Unclonable Functions on FPGAs”, International Conference on ReConFigurable Computing and FPGAs, ReConFig2010, (2010). [15] On-chip Variability Data, “The Secure Embedded System Group of the ECE Department at Virginia Tech”, http://rijndael.ece.vt.edu/variability/download.html. [16] A Library for Large Linear Classification. http://www.csie.ntu.edu.tw/~cjlin/liblinear/. [17] R. Fan, K. Chang, C. Hsieh, X. Wang and C. Lin, “LIBLINEAR: A Library for Large Linear Classification”, Journal of Machine Learning Research, vol. 9, (2008). [18] H. Kang, Y. Hori, T. Katashita and A. Satoh, “Performance of Physical Unclonable Functions with ShiftRegister-Based Post-processing”, SecTech/CA/CES3 2012, CCIS 339, Springer Verlag, (2012), pp. 14-21.

241

International Journal of Security and Its Applications Vol. 7, No. 4, July, 2013

242